Exam CS0-003 topic 1 question 140 discussion

The answer is B) True negative The criteria for triggering the alert was 10 failed logins. Only 9 occurred, so no alert should be generated since the criteria wasn't met. If it's reporting prematurely, then the SIEM rule is failing and generating a false positive. If no attack was detected with 9 failed logins, then the rule is working, in other words, a True Negative, meaning there really wasn't an alert that needed to be reported.

False negative occurs when a threat is present but goes undetected by the security control. The attacker attempted nine failed logins. The SIEM rule triggers alerts only on ten or more within one minute. Because it didn’t meet the threshold, the SIEM did not alert, even though suspicious activity occurred. This means the attack was real but not detected, which is the definition of a false negative.

"However, the control was unable to detect an ATTACK with nine failed logins" I think that's the key statement. They clearly point out that this was an attack that did not get reported, therefore, false negative.

The threshold is 10...Not 9. No trigger = True.

Correct Answer: C. False negative Analysis: A false negative occurs when a security control fails to detect a malicious activity or attack that is indeed happening. In this case, the SIEM rule was set to trigger an alert after ten failed logins within one minute. However, the attack involved nine failed logins, which means the rule did not trigger an alert. Therefore, the control missed the attack, classifying this scenario as a false negative. Explanation of Other Options: A. False positive: This occurs when a security control incorrectly identifies benign activity as malicious. Here, there was no incorrect alert; rather, an alert was missed. B. True negative: This means no attack occurred, and no alert was triggered, which is not the case here since an attack was present. D. True positive: This means a legitimate attack was detected correctly, which is also not the case here since the attack was missed by the control.

false negative

The logic is straightforward: "However, the control failed to detect an attack after nine failed login attempts." This indicates that an attack OCCURED but went UNDETECTED, which is a clear false negative due to improper settings. This wasn't a case of a legitimate user repeatedly entering the wrong password; the statement clearly mentions that an attack went unnoticed.

False negative. It means that you had a negative that wasn't detected. It's easy to compare if you look at false positives (which can be common): when a false positive happens it means your rule is detecting something as being malicious when it's not. In this case, your rule is NOT detecting something malicious when it IS malicious.

A false negative occurs when a security control fails to detect an attack or threat that is actually present. In this case, the SIEM rule was designed to detect attacks based on ten failed logins within one minute, but the attacker performed nine failed logins, which went undetected. Since the attack occurred but wasn't detected due to the threshold set in the rule, this is a false negative.

Going with False Negative here, it says it detected an attack, but since its below the threshold, it wasnt reported.

The correct answer is C. False negative. Here's a breakdown of the terms: False positive: This occurs when a security system incorrectly identifies a legitimate event as malicious. True negative: This occurs when a security system correctly identifies a legitimate event as legitimate. False negative: This occurs when a security system fails to identify a malicious event. True positive: This occurs when a security system correctly identifies a malicious event. In this case, the SIEM rule was unable to detect an attack with nine failed logins, even though it was designed to do so. This indicates a failure to identify a malicious event, which is a false negative.

See my earlier comments. It's False Negative - something bad happening, no alarm triggered. So it's actually C.

True Negative means something bad was happening but no alarm was triggered. So, although there was an ongoing attack (something bad), the threshold wasn't reached and so no alert (no alarm triggered). So I'd go with B.

A true negative means that no attack occurred, and correctly, no alert was generated. A false negative occurs when a detection system fails to alert on an actual malicious activity or attack, as happened here.

An False Positive would be if the SIEM triggered an alert for an event that was not actually malicious or relevant. the answer would be B because the SIEM did not give you an alert because the number of failed logins did not meet the threshold of TEN so how can this be a false positive??? when the SIEM behaved as what it was expected to do??

I was convinced this was a true negative because it wasn't the scanner's fault, but upon further research, I have determined that this would be a false negative. This is because there was an actual attack happening. False negatives are a common occurrence due to misconfiguration of security devices.

I see many saying the threshold is set to high at 10 attempts. I completely agree however it does not change the fact that the number of attempts were 9. Common sense would say that an attack is definitely occurring but by definition if going by the book for test purposes the answer would be True Negative due to there not being 10 attempts for the alert trigger. This question is a dirty one to throw on the test. Just hope you do not get it on your test version.